Skip to content

Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 #338#337

Merged
crivetimihai merged 8 commits intomainfrom
strengthen-ui
Jul 10, 2025
Merged

Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 #338#337
crivetimihai merged 8 commits intomainfrom
strengthen-ui

Conversation

@crivetimihai
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai commented Jul 9, 2025
edited
Loading

Add proper HTML escaping for admin UI user data rendering

Closes #336 closes #338

Changes

  • Added escapeHtml() function that escapes HTML special characters
  • Applied HTML escaping to all user data before rendering in modals and tables
  • Implemented safe DOM manipulation using textContent for table cells
  • Added safeUrl() helper for URL validation

Impact

  • Ensures user input displays correctly as text content without unintended HTML rendering
  • Improves data display consistency across admin UI components
  • Applies proper output encoding throughout the interface

Testing

  • Verified HTML content like <img src=x onerror="alert('test')"> is properly escaped and displayed as text
  • Confirmed all user data displays correctly without breaking existing functionality

Additional Improvements to Consider

Immediate:

  • Add Content Security Policy (CSP) headers for enhanced browser protection
  • Implement server-side input validation
  • Review file upload functionality for similar rendering issues
  • Add automated testing for proper data escaping

Medium-term:

  • Consider migrating to a dedicated sanitization library (e.g., DOMPurify)
  • Add CSRF protection for form submissions
  • Establish consistent data handling patterns across components

@crivetimihai
Initial validation and XSS protection for UI
898a5e7 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai added this to the Release 0.4.0 milestone Jul 9, 2025
@crivetimihai crivetimihai self-assigned this Jul 9, 2025
@crivetimihai crivetimihai added bug Something isn't working security Improves security labels Jul 9, 2025
@crivetimihai
Race condition UI fix
f21be1f 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Full lint compliance for web stack
692fb42 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Full lint compliance for web stack and fixed metrics tab
8c1c9f8 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Full lint compliance for web stack and fixed metrics tab
028ef5e 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Full lint compliance for web stack and fixed metrics tab
f8d1f9a 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Don't show full json
0cb7f0e 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Cleanup escape issues
285b42b 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai changed the title Add proper HTML escaping for admin UI user data rendering closes #336 Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 Jul 10, 2025
@crivetimihai crivetimihai changed the title Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 #338 Jul 10, 2025
@crivetimihai crivetimihai merged commit acd1619 into main Jul 10, 2025
22 of 23 checks passed
@crivetimihai crivetimihai deleted the strengthen-ui branch July 10, 2025 03:45
This was referenced Jul 10, 2025
Closed
Merged
Closed
vk-playground pushed a commit to vk-playground/mcp-context-forge that referenced this pull request Sep 14, 2025
@crivetimihai
Add proper HTML escaping for admin UI user data rendering, and elimin…
0359bfe 
…ate all web lint issues closes IBM#336 IBM#338 (IBM#337)

* Initial validation and XSS protection for UI

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Race condition UI fix

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack and fixed metrics tab

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack and fixed metrics tab

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack and fixed metrics tab

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Don't show full json

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Cleanup escape issues

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
vk-playground pushed a commit to vk-playground/mcp-context-forge that referenced this pull request Sep 14, 2025
@crivetimihai
Add proper HTML escaping for admin UI user data rendering, and elimin…
eeb1b87 
…ate all web lint issues closes IBM#336 IBM#338 (IBM#337)

* Initial validation and XSS protection for UI

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Race condition UI fix

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack and fixed metrics tab

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack and fixed metrics tab

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack and fixed metrics tab

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Don't show full json

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Cleanup escape issues

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
vk-playground pushed a commit to vk-playground/mcp-context-forge that referenced this pull request Sep 16, 2025
@crivetimihai
Add proper HTML escaping for admin UI user data rendering, and elimin…
122f660 
…ate all web lint issues closes IBM#336 IBM#338 (IBM#337)

* Initial validation and XSS protection for UI

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Race condition UI fix

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack and fixed metrics tab

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack and fixed metrics tab

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Full lint compliance for web stack and fixed metrics tab

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Don't show full json

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Cleanup escape issues

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees

@crivetimihai crivetimihai

Labels

bug Something isn't working security Improves security

Projects

None yet

Milestone

Release 0.4.0

Development

Successfully merging this pull request may close these issues.

[CHORE][SECURITY]: Eliminate all lint issues in web stack [FEATURE][SECURITY]: Implement output escaping for user data in UI

1 participant

@crivetimihai